Note added 1997-08-18:
The vulnerability exploited in this crack was in Lasso, a CGI database
interface to FileMaker Pro. Blue World, the developers of Lasso, not only fixed
the bug within 24 hours -- on a Sunday -- but also offered to underwrite the
entire cost of the 100,000-kroner prize. With the Lasso fix in place, Joakim
Jardenberg has reopened the Crack-a-Mac challenge. See [0] for details.

Joakim Jardenberg <joakim at infinit dot se> opened a challenge to
all the world's hackers called "Crack-a-Mac, the Next Generation"
[1] on July 4. (A previous Crack-a-Mac challenge had gone unbroken
[2].) On Sunday 8/17 he declared: "The challenge is off
due to what looks like a perfectly successful crack" by an
Australian hacker called Starfire <Starfire at bellair dot net>. Jardenberg
is not releasing details of the crack, which do not affect either
the MacOS or the WebSTAR server, because no fix is available.
Apple's Chuq Von Rospach <chuqui at plaidworks dot com>, who knows
details of the attack, called it "subtle, non-obvious, and a real
gem." Jardenberg and Von Rospach said that the crack is dependent
on site configuration and would affect comparitively few sites.
Jardenberg writes on the challenge's top page, "Puhhh, what a lousy
way to wake up..." Here is his email.

Bad news. Around 07.30 (GMT+0200) this sunday morning the
Crack a Mac challenge was cracked. At this time we can not
reveal the method that was used, as there is no fix for the
problem yet!

We will return with more public info as soon as there is a
solution.

Worried Mac webmasters with a setup that is similar to the one
used at the Crack a Mac server can send a private mail to
jokim@infinit.se with brief information about their setup and
if they are in the "danger-zone" they will receive a mail with
an outline of the problem.

Hope you understand that it is for everyone's safety that we
are careful about this info...

The Cracker is a wise and friendly guy from Australia, who
really deserves the 100.000 kronor.

The cracked page is available from the server:
http://hacke.infinit.se/

Best regards

/Jocke

Here is the message that Starfire added to the challenge's home page
to claim the 100,000-kroner prize:

Ogle This:

This has been quite a challenge.

But then what would you expect from a Mac. The OS is Rock Solid
and enthroned on a pretty funky system.

I will hopefully own one very soon....

Once the appropriate considerations have been addressed by the
administrators of this site, I hope they will continue the quest.
They have every reason to be confident...

Perhaps APPLE will take the hint and support people like Joakim.
He and his current sponsors richly deserve a pat on the back.
Few people have the guts to pull it off...

The US crypto export policy, which has lately been looking more and
more like a Swiss cheese, last week took on the semblance of an
aerogel
[3].
On 8/11 at Hacking in Progress 97
[4], a hackers'
gathering convened on a campground near Amsterdam, European hackers
completed the first phase of the PGP 5.0i project: they posted a
perfect copy of PGP 5.0 source code on the Net
[5]. (This is the
Unix command-line version -- Windows and Macintosh variants will be
completed in the coming weeks.) The source code was exported from
the US legally, in the form of a 6,000-page book -- US restrictions
on crypto export exempt material in printed form. Ståle Schumacher
<stale at hypnotech dot com>, maintainer of the International PGP
Home Page in Oslo, Norway, coordinated a team of offshore workers
who scanned, proofread, and compiled the code. The story has been
picked up by ZDNet
[6] and by InfoWorld
[7]. Bruce Schneier, author
of Applied Cryptography, said of the exploit: "Inherently you can't
protect data with a national boundary. Export systems do not work --
encryption software has been out in the public domain for a long
time."

Rodney Thayer <rodney at sabletech dot com>, security consultant and
stalwart of the Digital Commerce Society of Boston, was in Munich
[8] last week at the thrice-yearly meeting of the Internet
Engineering Task Force
[9]. By special arrangement TBTF carried his
dispatches from that front each day. The conference began breaking down
its systems at noon on Friday so Thayer's final dispatch hasn't
arrived as this issue wraps; it will appear soon as a Tasty Bit of the
Day. The entire week's reporting on the folks who define the Net
resides on the TBTF archive
[10] by permission.

Day 0: The scene
Day 1: The games begin
Day 2: Are you in possession of Digital Identity Hash?
Day 3: Ssh. People are watching the network!
Day 4: Them vs. us -- or, strange bedfellows
Day 5: (not yet)

Quick, who's making the most money selling software? Bet the first
companies to mind were Microsoft and Oracle, in that order. They
are actually numbers two and five on the list. Only three pure-play
software companies (the other is Novell) make the top ten. They're
outgunned in the software market by companies offering their
customers enterprise-scale services and integration, and in some cases
iron as well.

From Edupage (1997-08-14):

The ten leading companies in software revenue last year were
(in descending order): IBM, Microsoft, Hitachi, Computer
Associates, Oracle, Fujitsu, SAP, Bull HN Information Systems,
Digital Equipment Corporation, and Novell. And of the top
thirty companies, 37% are in California, 13% in Massachusetts,
10% in Pennsylvania, 7% in New York, and 33% in other states,
provinces, and countries. (Investor's Business Daily 13 Aug 97)

Most commercial lasers you encounter day-to-day (those in CD-ROM
readers, for example) radiate in the infrared. For more than three
decades researchers have pursued the dream of the blue laser -- a
semiconductor that emits continuous pure blue light at room
temperature. Blue laser light, higher in frequency and shorter in
wavelength than infrared, could record and read data in smaller areas.
A current-day CD-ROM device constructed with such a laser could
store 2.7 GB, and a DVD device 28 gigs, with no other changes in
the mechanism.

Scientific American reports
[11] that a Japanese researcher of
almost legendary stature among his peers, Shuji Nakamura of Nichia
Chemical Industries, has demonstrated a gallium nitride laser that
produced light for over 100 hours. (Rather a showman, Nakamura used
one of his blue lasers as a pointing device at a scientific
conference.) Nakamura hopes to achieve a commercial-grade laser capable
of 100,000 hours of operation by 1998.

This note from Allan Hurst <allanh at supportnet dot com> purports
to finger the best restaurants in Silicon Valley for lunchtime
intelligence gathering. Got any other favorites? (I sense another
TBTF feature in the making.) Remember, the emphasis should be on
a restaurant's industrial espionage potential; other considerations,
such as ambience, good food, or speedy service, are secondary.

Over the past ten years, I've gotten some of my very best --
read: "most accurate" -- information having lunch in Cuper-
tino. Sitting around outside at Erik's DeliCafe on Stevens
Creek in Cupertino, having a leisurely solo lunch while read-
ing a newspaper, can be MOST informative. Chili's and Uno's
down the street aren't bad for information gathering, either.
Ditto Fresh Choice (at Vallco Fashion Park) and The Pepper-
mill (on DeAnza).

Companies oft-overheard in the Cupertino area include Apple,
Tandem, HP, Microsoft, and Symantec. Chip-level hardware in-
formation (e.g., Intel, NatSemi, Cirrus, etc.) can often be
overheard at the McDonald's on Lawrence Expressway or the
Carl's Jr. on Bowers, both in Santa Clara. Very occasion-
ally, interesting corporate level tidbits can be overheard in
the evening at Chef Chu's, in Los Altos.

P.S. -- For years, the McDonald's on Lawrence was hysterical
during lunchtime. Their french-fry timing computer had an
electronic beeping tone that sounded so much like a Motorola
pager that multiple people in line could be see grabbing at
their beepers every time a new batch of fries was ready.
They've long since changed out the french fry timing computer
for a new automated fry-robot which is comparatively silent.
What they lost in audio atmosphere they gained in geeky spec-
tatorship, as customers in line stare at the fry-bot, utterly
mesmerized by its movements. The interaction of people and
technology never ceases to fascinate me.

One cultural innovation from England that deserves to spread more
widely is a series of diminuitive books called the Bluffer's Guides.
They run about 60 pages and £3. You won't find them
in most local bookstores in the US. (My local bookstore stocks the
Guides
[12],
but then my home is on the Net.) W.H.Smith or
Waterstones may carry them in the physical world. (Smith is still working
on their Web site
[13], while Waterstones' is well developed
[14].)
Each slim volume in the Bluffer's Guides series -- there are over 50
of them -- attempts to convey enough of the buzzwords and context
of its particular topic to allow the reader to pass as an expert in
casual conversation. Topics range from Advertising, Antiques, and
Ballet through Skiing, University, and Wine. The booklets are
constructed to a simple formula. Each section begins with an admirably
pithy definition of its term and then proceeds to skewer and slather
its subject in robust post-Python style. If you were to read only the
opening paragraph of each section, you would discover embedded
within each Guide an even smaller tract that illuminates its subject
thoroughly and concisely. Consider these examples from "Bluff your way
on the Internet"
[12].

Understanding URLs:

URLs contain similar cryptic sequences of letters to e-mail
adresses (.kwiknet.co.uk etc.) but are easy to tell apart. An
e-mail adress always has the @ symbol in the middle and no /
marks. A URL never has an @ and, apart possibly from the home
page, will be full of / marks. Indeed, a URL can sprawl over
several lines: the computer where the site resides may store
hundreds of thousands of files, and the / marks help it to
sort the files into groups.

Using Newsgroups:

On screen, a newsgroup looks like a catalog of titles. You
click on one which looks interesting to view the text of that
particular posting. Successive postings in reaction to each
other can result in a discussion straying somewhat from the
original topic. Titles such as "Re: Lewd acts with vegetables
(was: Recommendations please for best CD of Mahler's Fifth)"
are common.

The people responsible for the Bluffer's Guides reserved the name
bluffers.com a year ago but have not put up a Web page. After
publishing
[12] I don't see how they could.

Note added 2002-11-29:
I received this note from Tobias Steed of Oval Books:

Thank you for your kind words about The Bluffer's Guides on your web site.

I... am happy to tell you that we have had a considerable web presence for the last
two years: www.bluffers.com or www.ovalbooks.com. You may also be interested to know that the titles are now available in the US
through our US distributor Globe Pequot Press and therefore more readily available through amazon.com and on the internet
retailers as well as Borders and select other stores. Individuals can order from Globe on 1-800-243-0495.

Notes

Today's TBTF title
comes from a Kenny Rogers song about poker, a
game singularly in tune with the American character, and the
natural habitat of the bluffer. Tonight the Internet let me down
(as another country/western title has it): I could not turn up
the song's author or title on the Web and had to fall back on
good old-fashioned telephonic friendware. (Thanks, Greg and Val.)
The song is called The Gambler[15],
[15a].

The song The Gambler is not from a movie. It was written by Don Schlitz in
1978. It was Don's first hit, though he went on to become one of the most
successful songwriters of the 80's, and is still quite active. The song
was cut by Bobby Bare on RCA and by Don, himself, on Capitol before Kenny
Rogers cut it in mid 1979. Kenny changed the melody ever so slightly and
made it a standard. The song was so successful that a TV movie and a
series of sequels were made BECAUSE of it.

I knew Don Schlitz when he was still a struggling writer. He worked nights
at the Vanderbilt University computer center, where I would visit him. He
did some kind of work tending to the mainframes. The very last time I saw
him was the day Kenny Rogers cut the Gambler. He had just come from the
session and felt that Kenny had done a hell of a job. I have not been back
to Nashville since 1979, and hence haven't run into him since.

Going to a technical conference or trade show that would interest
TBTF readers? Email me before you leave if you're willing to
write daily dispatches for this newsletter.

I dislike spam as much as you do, and I don't want to make it easy
for the spammers' address-hoovering tools to collect victims'
contact information from the TBTF home and archive. (Note that no
reader has complained about this to date.) On the other hand, I
want to make it possible for members of the TBTF community privately
to contact people mentioned in the articles, should they
want to. For these reasons I've started a new convention on the
Web site when referencing the email addresses of correspondents,
informants, or participants in the stories that appear in this
newsletter: I add plausible obfuscation to each such address,
except for my own. (This doesn't apply to the retro-push edition.) It
works like this:

Email address as it appears in TBTF: <doyle at cs dot und dot edu>

Actual email address: <doyle@cs.und.edu>

Thanks to Tad Staley <tstaley at msn dot com> for this suggestion,
and more generally for pointing out the very existence of "the
TBTF community." Hmm. Consequences will flow from this insight.